Method and system of payment by electronic cheque

ABSTRACT

An offline payment method includes communicating a commitment value calculated by an electronic check medium to a terminal configured to receive a payment from the electronic check medium. The commitment value is calculated based on a first authentication code and a secret key, wherein the first authentication code is calculated based on a payment amount and a secret verification key. The terminal determines and communicates a random/pseudo-random guesstimation to the electronic check medium in response to receiving the verification code, the random/pseudo-random guesstimation being configured to verify that the electronic check medium is authentic. The electronic check medium determines and communicates a second authentication code to the terminal, the second authentication based upon the random/pseudo-random guesstimation. The terminal compares the second authentication with the random/pseudo-random guesstimation to verify the second authentication and accepts payment from the electronic check medium when the second authentication is verified.

The present invention relates to a method of payment by electroniccheque, in particular in the case of a direct transaction betweensolely, on the one hand, a payment issuer furnished with a mediumcomprising at least one blank electronic cheque certified by a financialinstitution and an overall amount useable at least partially in respectof the electronic cheque, and, on the other hand, a recipient of thepayment furnished with a device adapted to receive at least oneaforesaid electronic cheque of the abovementioned medium.

Numerous problems arise in the securing of such payment systems, inparticular when these payments are desired to be made in a so-called“off-line” manner, that is to say with no link with the main computer ofa financial institution such as a bank or a company for managingpayments by electronic memory card and means of electronic dialogue.

One practice which is currently spreading is the storage, in anelectronic payment card, of blank cheques. In this case, there is animperative need to be certain that each electronic cheque can serve onceonly, is certified as authentic by a financial institution, or betterstill an empowered authority, and will be reimbursed to the recipient ofthe payment by the financial institution of his choice.

For this purpose, use is made of procedures for transporting, exchangingand verifying signatures between what has been referred to hereinaboveas a medium and a device. In such procedures, it is deemed that too manysecurity elements to be kept secret may be violated by third partiesseeking to use for example one and the same cheque several times,whether this be at the level of the aforesaid issuer of the cheque or ofthe recipient thereof, whether the issuer and the recipient are or arenot conniving, whether one is attempting to steal from the other or oneof the financial institutions, the one issuing the electronic cheque orthe one which pays it to the recipient.

The purpose of the present invention is to solve these problems and tocarry out such payments with a monitoring of the latter which is leastprone to fraud in an “off-line” service, by organizing aninteroperability between the said medium and device.

The term interoperability should be understood to mean the possibilityof secure cooperation of payment between a medium for example emanatingfrom a Belgian institution and a device emanating from a foreigninstitution and located abroad, or else emanating from another Belgianinstitution and located in Belgium, and whose secure cooperation ispossible without the sharing of one or more secret keys between the twoinstitutions and hence between the medium and the device.

It goes without saying that the solution brought to these problems mayalso find a definite application in, for example, the exchanging ofdigital data recorded on a medium, so as to be certain that they areauthenticated by whom it may concern, and not acquired fraudulently, soas to be supplied to a recipient who acquires them in good faith or notto be supplied to a recipient having no entitlement thereto.

To solve these problems, the method of the invention comprises, so thatthe device can recognize the authenticity of the medium and of a chequebeing received,

a calculation by the medium of a table, possibly partial, on the basisof at least one set of k base values, by applying successively to eachof them n times an irreversible function with parameter(s) differingpreferably with each application and giving k intermediate values ntimes,

a calculation by the medium of a secret key on the basis of the last kintermediate values of order n and, on the basis of this key, acalculation of a distinctive sign of the cheque,

a transmission by the medium to the device of the distinctive signcalculated for the electronic cheque,

a financial commitment of the medium in relation to the device, asregards the cheque, by supplying to the device,

a first result of an irreversible function via which was processed theresult of a first algorithm combining a secret verification key,originating from the financial institution issuing the electroniccheque, and dynamic parameters of this cheque, and

a second result of a second algorithm combining the secret keycalculated for the medium, the dynamic parameters of this cheque and thefirst result hereinabove,

at least one random/pseudo-random guesstimation, by the device (3), of knumbers m of successive applications of the irreversible function to thek base values, the k numbers m lying between zero and n and possiblybeing different from one another, the sum of the k numbers m having tobe a determined constant,

a transmission of the result of the guesstimation by the device to themedium,

a response by the medium to the said guesstimation by the device,comprising on the one hand the result of the first algorithm combiningthe secret verification key and the dynamic parameters of the chequeand, on the other hand, a set of the k intermediate values obtainedduring the successive applications of the irreversible function to eachof the k base values the number or numbers of times m lying between zeroand n,

by the device:

successive applications of the irreversible function to each of the kintermediate values of order(s) m until the last k intermediate valuesof order n are obtained,

a calculation of the said secret key on the basis of these last kintermediate values of order n and, on the basis of this secret key, acalculation of the distinctive sign of the cheque,

a comparison of the distinctive sign thus calculated and of thedistinctive sign calculated by the medium and received from the latter,

a verification by calculation and comparison in the device of the saidsecond result of the second algorithm and of that received from themedium,

a verification by calculation and comparison in the device of the saidfirst result of an irreversible function and of that received from themedium and,

if the said comparison and verifications each give equality, anacceptance and a storage by the device of the electronic cheque issuedby the medium.

Thus the use is avoided, for example, of special-purpose cards (ormedia) furnished with cryptography integrated circuits using public keyalgorithms, for example RSA, known in the art, developed by RSA DataSecurity Inc. Redwood City, Calif., USA or of cards operating withglobalization of DES keys (Data Encryption Standard), or some othersecret key encryption algorithm also known in the art.

Advantageously, the sum of the k numbers m is a constant equal to n*k/2if the product n*k is even or, if this product is odd, to (n*k−1)/2.

According to one embodiment of the invention, the method comprises:

a storage in the medium of at least one electronic cheque templateuseable to make at least one aforesaid cheque,

a transmission by the medium to the device of:

a series of h distinctive signs of a cheque, each associated with adistinct set of k base values contained in the medium,

an index, lying between 1 and h, for designating a particulardistinctive sign from among the h aforementioned distinctive signs,

a digital signature produced by the issuing financial institution so asto guarantee the said distinctive signs, and

a use by the device, for the said comparison, of the particulardistinctive sign determined by the index in the guise of distinctivesign received from the medium, and

a verification by the device of the said digital signature by means of apublic key known to the device.

According to one mode of realization, the method of the inventioncomprises, in respect of the transaction, a transmission by the mediumto the device of non-secret data which may be the identification of thefinancial institution which certifies the electronic cheque and, asappropriate, the public key of the issuing financial institution and acertificate of the abovementioned public key issued by a certificateauthority. The device can verify in this case the authenticity of thesaid certificate by means of another public key, known to the device, ofthe certificate authority.

According to one particular embodiment of the invention, the medium canbe reloaded at least as regards its overall amount and/or its number ofelectronic cheques in the course of a link with the abovementionedfinancial institution or one of its delegates.

According to one embodiment of the invention, the method comprises, forthe calculation of the table by the medium, a mother base value commonto each column of the table, and an application to this mother basevalue of at least one irreversible function preferably with differentparameter(s) for each column so as to obtain the said k base values.

According to an advantageous embodiment of the invention, in the courseof a reloading of the medium, it is furthermore supplied with anidentification of cheque templates, updated abovementioned staticparameters, a series of h distinctive signs, an abovementioned digitalsignature and a determined number of base values or, as appropriate, ofat least one aforesaid common base value.

According to another advantageous embodiment of the invention, thedevice records, during a transaction, the result of the first algorithmand/or, as appropriate, an identification of the aforesaid financialinstitution and/or an identification of the template of the electroniccheque received and/or the identification of the medium.

According to a particularly advantageous embodiment of the invention,the process makes provision for the fact

that in respect of incremental payments of the kind by telephone card,the dynamic parameters of the cheques moreover comprise:

the amount or the sequence of amounts corresponding to the authorizedincremental payments,

a base chaining value,

a chaining of successive chaining values which each stem successivelyfrom the application of an irreversible function to the immediatelyfollowing chaining value, and

that after having performed with the hereinabove device a protocol forpayment by electronic cheque, the medium can perform an incrementalpayment by supplying the receiving device with successive chainingvalues, the device preserving a record of the last chaining valuereceived and of the corresponding index.

According to another particularly advantageous embodiment of theinvention, the method comprises a cancellation of a transaction ofpayment by cheque from the medium to the device. For this purpose, themethod can comprise, on the one hand, a storage, in the device, of atleast one electronic cheque template, issued by the financialinstitution of the device, and of secret data relating to this templateand, on the other hand, a programming of the medium in such a way thatthe latter cannot receive a payment by cheque other than from the deviceto which a transaction was previously paid by means of the said medium,the latter storing the cancellation payment cheque until the medium ispresented to its corresponding financial institution, in particular fora reloading of the medium.

Preferably, the method of the invention furthermore comprises steps ofinverse authentication via which the medium can for its part recognizethe authenticity of the device. For this purpose, the steps of inverseauthentication can be of the same kind as those for the authenticationof the medium, whilst requiring, as appropriate, only a singledistinctive sign of electronic cheque template.

According to another preference, the method of the invention cancomprise, for at least some of the inverse authentication steps, the useof an element for communication between the medium and the device, thiscommunication element preferably being held by the payment issuer whichholds the said medium.

In order to increase the number of times that the same cheque templatecan serve to make a distinct cheque, the method comprises, in themedium, a combination of each of the various distinctive signs, at afirst level, by means of irreversible functions each time with anothervalue or another distinctive sign; the results of each pair ofapplications of the irreversible function are thereafter combined at asecond level via another application of the irreversible function so asto give new results to be combined at a third level via one or otherapplications of the irreversible function and so on and so forth until asingle result is obtained, and which is signed, as deduced distinctivesign, for the digital signature so as to sign the cheques issued.

Then, for a verification by the device of the deduced distinctive sign,the method can comprise a transmission from the medium each time of thesecond distinctive sign used in a first combination at the first leveland, at each succeeding level, of the intermediate result of theirreversible functions, which is used so as to be combined successivelywith the corresponding intermediate result obtained on the basis of thesecond distinctive sign, until the deduced distinctive sign is obtained.

The invention also relates to a payment system for implementing themethod hereinabove. For this purpose, the system of the inventioncomprises

at least one medium furnished

with means for storing at least

a blank electronic cheque certified by a financial institution,

an overall amount useable at least partially in respect of theelectronic cheque,

at least one distinctive sign for this cheque, which may be included inthe latter,

at least one set of k base values which may be derived from a singlecommon mother value,

a secret verification key originating from the financial institutionissuing the electronic cheque, and

dynamic parameters of the said cheque, and

with means of calculation

of a table on the basis of the k base values, by applying successivelyto each of them n times an irreversible function with parameter(s)differing preferably with each application and giving k intermediatevalues n times,

of a secret key on the basis of the last k intermediate values of ordern and, on the basis of this key, of a distinctive sign of the cheque,

of a first result of an irreversible function via which was processedthe result of a first algorithm combining the secret verification keyand dynamic parameters of the cheque, and

of a second result of a second algorithm combining the secret keycalculated for the medium and the dynamic parameters of this cheque andof the aforementioned first result, and

with means of direct dialogue with at least one device adapted toreceive at least one aforesaid electronic cheque from the abovementionedmedium and among other things the distinctive sign of the said cheque,

the device being equipped

with means of random/pseudo-random guesstimation of k numbers m ofsuccessive applications of the irreversible function to the k basevalues, the k numbers m lying between zero and n and possibly beingdifferent from one another, the sum of the k numbers m having to be adetermined constant,

with means of direct dialogue corresponding to those of the medium, soas among other things to carry out a transmission of the result of theguesstimation to the medium,

with means of calculation

successively applying the irreversible function to each of the kintermediate values of order m until the last k intermediate values oforder n are obtained,

of the said secret key on the basis of these last k intermediate valuesof order n and, on the basis of this key, a calculation of thedistinctive sign of the cheque,

means of comparison of the distinctive sign thus calculated and of thedistinctive sign calculated by the medium and received from the latter,

means of verification by calculation and comparison of the said secondresult of the second algorithm and of that received from the medium,

means of verification by calculation and comparison of the said firstresult of an irreversible function and of that received from the mediumand,

means of storage of at least the electronic cheque issued by the medium,if the said comparison and verifications each give equality.

According to one embodiment of the system of the invention,

the means of storage of the medium are devised so as to store at leastone electronic cheque template useable to make at least one aforesaidcheque,

the means of dialogue of the medium are devised so as to transmit to thedevice: a series of h distinctive signs of a cheque, each associatedwith a distinct set of k base values contained in the medium, an index,lying between 1 and h, for designating a particular distinctive signfrom among the h aforementioned distinctive signs, and a digitalsignature produced by the issuing financial institution so as toguarantee the said distinctive signs, and

the device is devised so as to use, for the said comparison, theparticular distinctive sign determined by the index in the guise ofdistinctive sign received from the medium, and

the device comprises means of calculation devised so as to verify thesaid digital signature by means of a public key known to the device.

According to another embodiment of the system of the invention, themeans of dialogue of the medium are devised so as to transmit to thedevice non-secret data which may be the identification of the financialinstitution which certifies the electronic cheque and, as appropriate,the public key of the issuing financial institution and a certificate ofthis public key issued by a certificate authority. Therefore, the devicecan be devised so as to verify the authenticity of the said certificateby means of another public key, known to the device, of the certificateauthority.

Advantageously, the system according to the invention comprises asmedium a payment card of the integrated circuit type and as device apayment terminal with reading and writing for a card of this type.

As a variant, the system according to the invention comprises as mediuma payment card of the integrated circuit type and as device a paymentterminal with reading and writing for a card of this type and furnishedwith means of transferring data received from the said card, and/orprocessed by the terminal, into storage means detachable from theterminal proper and in particular transportable to a financialinstitution so as to perform therein a transfer of the said data.

According to another variant of the system according to the invention,in particular in the case where the device is remote from the issuer ofthe payment and/or in the case of steps of inverse authentication of thedevice by the medium, the abovementioned medium is composed among otherthings, on the one hand, of the aforesaid integrated circuit card and,on the other hand, of a communication element, for dialogue between thecard and the said device.

Other details and particular features of the invention will emerge fromthe secondary claims and from the description of the drawings which areappended to the present document and which illustrate, by way ofnon-limiting example, the method of the invention and a particularsystem of the invention for implementing the method.

FIG. 1 shows diagrammatically one embodiment of a system allowing theimplementation of a mode of realization of the payment method.

FIG. 2 shows diagrammatically steps for constructing a table of valuesmaking it possible to verify and/or calculate a distinctive sign for acheque.

FIG. 3 shows diagrammatically steps for constructing values making itpossible to calculate another type of distinctive sign for a cheque.

FIG. 4 shows diagrammatically a variant of the system, in which thedevice consists of at least two mutually detachable elements.

FIG. 5 shows diagrammatically another variant of the system, in whichthe medium consists of at least two mutually detachable elements.

FIG. 6 shows diagrammatically a system of the invention, integrated intoa simple circuit for payment via banks.

In the various figures, the same reference notation designates identicalor similar elements.

The method of the invention is especially intended to carry out aprotocol for payment by electronic cheque in what is referred to, asexplained hereinabove, as a so-called “off-line” situation. This paymentprotocol implements interoperability between (FIG. 1) an aforesaidelectronic cheque medium 1, which may be a card 2 of the bank card,credit card, debit card kind etc., having an integrated circuit forstorage and calculation and an electronic cheque receiving device 3which can be a terminal 4 with reading and writing for the saidintegrated circuit card 2.

An objective of the present invention consists in the card 2 and theterminal 4 being devised so as to execute an authentication of theelectronic cheque to be transmitted by the card 2, for example from apurchaser, to the terminal 4, for example of a merchant who thepurchaser must pay for a purchase, based on at least onerandom/pseudo-random guesstimation on the part of the terminal 4 and acorresponding response from the card 2.

To do this, the card 2 and the terminal 4 have in memory, as elementsknown in common by each of them, nothing but irreversible functionsand/or algorithms and a MAC algorithm explained hereinbelow. Apart fromthis, the card 2 has in memory a public key PK_(B) of a financialinstitution, such as the bank BA (FIG. 6) of the holder of the card 2,and a public key certificate CERT_(B) signed electronically by anauthority for certifying this public key PK_(B) of the bank BA. For itspart, the terminal 4 possesses in memory a public key PK_(CA) which canbe certified by the same certificate authority. In the presentinvention, there is advantageously no necessity for the card 2 to havethe capability of calculating public key algorithms, except for specialcases.

The protocol described hereinbelow corresponds to a situation in which:

a purchaser wishes to pay a merchant for a purchase using an electroniccheque,

the purchaser holds for this purpose an integrated circuit card 2 (anelectronic cheque medium 1) supplied by his bank BA,

the merchant holds for this purpose a terminal 4 (electronic chequereceiving device 3) supplied to him by his bank BB, and

the electronic payment is carried out without there being any linkestablished with one BA or the other BB of the two banks concerned orany other financial institution or monitoring.

As the basis for the method, it is supposed that the purchaser or holderof the card 2 trusts his bank BA which loads his card 2.

The sought-after security obtained by the invention consists in:

the bank BA of the purchaser having to be certain that it will only haveto pay genuine electronic cheques issued by the card 2 of the purchaser,hence no cheques fraudulently duplicated or altered by the purchaser ora third party nor any cheques fraudulently made by the merchant,

the merchant wishes to be certain that his bank BB will agree to credithim with the electronic cheque received from the purchaser,

the bank BB of the merchant wishes to be certain that a cheque acceptedin payment by the merchant will be accepted without any subsequentproblem by the bank BA of the purchaser.

The protocol for payment by electronic cheque, according to theinvention, uses the following cryptographic functions (FIG. 2) known tothe person skilled in the art:

a public key signature verification (by an RSA algorithm with smallpublic exponent, RSA being the initials of the inventors Rivest, Shamirand Adleman of this algorithm),

an MAC algorithm combining a key and data, MAC standing for “MessageAuthentication Code” (this algorithm being based on what is referred toin cryptography as a “Triple DES” or “Triple Data Encryption Standard”,that is to say a system for encrypting data by applying the DESalgorithm three times,

a first parametrized irreversible function, henceforth denoted OWF (OneWay Function=irreversible function), combining data and parameters,

a second parametrized irreversible function, henceforth denoted SOWF,combining data and parameters, and

an irreversible compression function, henceforth denoted OWHF (One WayHash Function), also combining parameters and data.

These functions may be implemented by calculation means contained in theintegrated circuit of the medium 1 or card 2. At the location of thecard 2, the present invention avoids the need to produce a signature byusing a public key algorithm.

The medium 1 or card 2 contains, in a memory included in its integratedcircuit, at least one non-secret electronic cheque template CFcomprising indications relating to this template CF, such as forexample:

ID_(CF): an identification of the template CF,

ID_(C): an identification of the card 2,

SP_(CF): so-called static parameters associated with the template, suchas for example a date of expiry of validity and an authorized maximumtransaction amount,

IM_(CF)[1 . . . h]: a series of h distinctive signs,

SIGN_(CF): a digital signature supplied by the bank BA in order toauthenticate ID_(CF), SP_(CF) and IM_(CF)[1 . . . h].

The medium 1 or card 2, depending on the particular case, can contain inits memory non-secret information regarding its bank BA which issued theelectronic cheque or cheques contained in the card 2, such as:

ID_(B): an identification of the bank,

PK_(B): the public key of the bank,

CERT_(B); a public key certificate signed by the certificate authoritywhich thus authenticates ID_(B) and

as a variant, a date of expiry of the certificate CERT_(B).

The expression (electronic) cheque template should be understood here tomean a document (electronic) to be completed with data (dynamicparameters) so that it becomes a unique (electronic) cheque.

The card 2 can also contain at least one set of base values S[1], . . .[k], associated with one or each distinctive sign IM_(CF)[i], i lyingbetween zero and h, and a secret key SVK associated with the chequetemplate CF with a view to a verification by the bank BA of the chequetracked by means of this cheque template. Thus, what is referred tohereinabove as a blank cheque may in fact be regarded as an uncompletedor partially completed cheque template.

If the combination of signatures which is used makes it possible torecover data, some of the signed data will preferably be integrated intothese signatures themselves, as is known in the art.

As shown by FIG. 2, a particular distinctive sign IM_(CF) depends on thebase values S[1], . . . S[k], or even on a common or mother base valueSD_(CF) dubbed the SEED which, by applying an irreversible functionSOWF, gives these various base values S[1], . . . S[k].

The irreversible functions OWF, SOWF and OWHF applied in the case ofFIG. 2 have each time at least one parameter whose value is differentfrom one application to another in Table 5. This different parameter canbe the parameter of the row or level N (1 to n) and/or that of thecolumn (1 to k) and/or that of the index i of IM_(CF)[i], and/or ID_(CF)and/or ID_(B) depending on the particular case.

The irreversible functions OWF, SOWF and OWHF used according to FIG. 2are moreover chosen in such a way that, knowing their respectiveresults, it is not possible to find the corresponding input data or, ifthe input data are known, to find input data different from theaforesaid data and which give the same results.

The said irreversible functions may be chosen as follows:

the functions OWF may be implemented with a block encryption with ablock and key dimension of 64 or 80 bits,

the functions SOWF may be implemented with a block encryption with ablock and key dimension of 128 or 160 bits. The results obtained aretruncated to 64 or 80 bits respectively,

the function OWHF can be implemented in the form of a compressionfunction (hash function) known in the art (for example the functiondubbed SHA-I).

A basic protocol for payment by electronic cheque according to theinvention can comprise the steps hereinbelow.

When the purchaser prepares his electronic cheque, he completes a chequetemplate CF with so-called dynamic parameters CDP for this cheque,namely for example:

the date and time of the payment,

the amount and the chosen currency (depending among other things on thecountry in which the cheque transaction is effected), and

preferably an identification ID_(D) of the recipient of the cheque (themerchant or the device 3).

The management of these dynamic parameters by the medium 1 and by thedevice 3 does not form part of the present invention but is known in theart.

The medium 1 or card 2, inserted for example into a card reader of thedevice 3, sends the latter various parameters from among those citedhereinabove, preferably:

ID_(B); the identification of the issuing bank BA,

ID_(C): the identification of the medium 1

PK_(B): the public key of this bank BA,

CERT_(B): the certificate of these two parameters,

ID_(CF): the identification of the cheque template CF,

SP_(CF): aforesaid static parameters of this electronic cheque template,

IM_(CF)[1 . . . h]; a series of h aforesaid distinctive signs,

SIGN_(CF): a digital signature of the bank BA,

i: the index indicating which distinctive sign IM_(CF)[i] of the seriesof h signs is used.

The device 3 verifies:

CERT_(B) by using the certified public key PK_(CA), and thereafter

SIGN_(CF) by using the public key PK_(B) of the bank BA.

At this juncture in the verification, however, the device 3 does nothave sufficient proof that it is really communicating with a medium 1,on which fraud has not been perpetrated, such as delivered by theissuing bank BA. The information received from the medium 1 by thedevice 3 at this juncture could be a fraudulent copy.

The method of the invention makes provision for the fact that at thisstage the medium 1 should make a commitment in relation to the device 3:

the medium 1 calculates an authentication code AC_I with a view to asubsequent verification by the issuing bank BA, via an MAC algorithmcombining aforesaid dynamic parameters CDP and the secret verificationkey SVK:AC _(—) I=MAC(SVK,CDP),

the medium 1 calculates therefrom, with the aid of an irreversiblefunction OWF, a commitment value O_AC_I to be used in the payment bycheque protocol:O _(—) AC _(—) I=OWF(AC _(—) I),

the medium 1 calculates an authentication code AC_C, via an MACalgorithm, on the basis of the secret key SK, of the dynamic parametersCDP and of the commitment value O_AC_I:AC _(—) C=MAC(SK,CDP♦O _(—) AC _(—) I),

♦: here signifies a chaining of data,

the medium 1 sends the results O_AC_I and AC_C to the device 3.

At this stage of the protocol, the device 3 still has no means ofverifying the authentication codes AC_C. In fact, the device 3 still hasno guarantee of being linked up with a medium 1 of certified origin.

As next step, the device 3 makes at least one random/pseudo-randomguesstimation (or “challenge”) for the purpose of verifying that it isactually the authentic medium 1 which is linked up for the payment ofthe cheque.

The random/pseudo-random guesstimation consists in giving for each ofthe k columns of FIG. 2 an order or level N between zero and n, that isto say therefore a series of k numbers m smaller than n+1. Preferably,the sum of the k numbers m (generally mutually different) of thequesstimation is equal to n*k/2 if n*k is an even product or, if thelatter is odd, equal to (n*k−1)/2. The way in which thisrandom/pseudo-random guesstimation is carried out does not form part ofthe invention, it is known to the person skilled in the art. Let itsimply be said that it is carried out in a uniform and unpredictablemanner within the set of possible guesstimations of this kind.

At this juncture, the device 3 transmits its random/pseudo-randomguesstimation to the medium 1 and the latter responds by communicatingto the device 3 the authentication code AC_I calculated and a set of kvalues which are for each column 1 to k of FIG. 2 the intermediate valueof order or level m indicated in the guesstimation carried out by thedevice 3.

The device 3 in turn verifies the response of the medium 1 and, for thispurpose, it calculates on the basis of the k intermediate values oflevels m received, by applying the irreversible functions OWF of FIG. 2an appropriate number of times, the result to be used for calculatingthe key SK by means of the irreversible function OWHF. On the basis ofthis key the device 3 then calculates the distinctive signIM_(CF)=OWF(SK) and verifies whether or not it corresponds to the valueIM_(CF)[i] used to verify the electronic cheque received. Thereafter,the device 3 verifies the authentication code AC_C by using the key SKand verifies the financial commitment value O_AC_I of the medium 1 byapplying the suitable irreversible function:O _(—) AC _(—) I=OWF(AC _(—) I).

If all the verifications and comparisons are positive, the device 3accepts the payment by the electronic cheque and stores the “audittrail” thereof in a protected area of its memory This audit trailcomprises:

ID_(B): the identification of the issuing bank BA

ID_(CF): the identification of the cheque template,

optionally ID_(C): the identification of the medium 1 or card 2,

AC_I: the CDP authentication code

After the protocol for payment by electronic cheque, the valueIM_(CF)[i] is regarded as used.

In the method of the invention, the number of payments which may be madewith one and the same cheque template is h.

It is apparent that the secret key SK used to authenticate the dynamicparameters CDP is communicated only at the moment at which theexchanging of the guesstimation of the device 3 and of the response ofthe medium 1 takes place. From this moment onwards, the secret key mustbe regarded as having become public information.

The number of possible guesstimations which may be undertaken by thedevice 3 depends on the exact values of k and n and can readily becalculated. It is for example possible to choose n and k in such a waythat this number of guesstimations is of the order of 4*10¹⁰, etc.

It will be understood that the response to a single guesstimation doesnot make it possible to deduce therefrom a response to any otherguesstimation since there will be at least one column (FIG. 2) for whichan intermediate value of a lower level is required.

A loading or reloading of the medium 1 with cheque template and amountor monetary value must be executed in a secure manner and is thereforecarried out in a direct line (“on-line”) with the financial institutionor issuing bank BA or with any other authorized third party.

Since an electronic cheque template CF may only be used a determinednumber of times so that only a unique cheque which can be authenticatedis made each time, each electronic cheque template is produced by theissuing financial institution BA and must be loaded in advance into themedium 1.

The data to be transmitted to the medium 1 when loading a chequetemplate are for example:

ID_(CF): the identification of the electronic cheque template,

SP_(CF): the static parameters of this template,

IM_(CF)[1 . . . h]: a series of h distinctive signs for cheques,

SIGN_(CF): a digital signature of the issuing bank BA regarding the datahereinabove ID_(CF), SP_(CF), IM_(CF)[1 . . . h] which may be includedwithin this signature,

in a variant stated hereinabove, a mother value or common base valueSDCF which can be used by the medium to calculate the abovementionedbase values S[1 . . . k] and thereafter the intermediate values of FIG.2, up to each distinctive sign IM_(CF)[i].

The mother or common base value SD_(CF) is transmitted by the issuinginstitution BA to the medium 1 in an encrypted manner. To establish asecure communication between this institution BA and the medium 1, it ispossible to use a straightforward MAC algorithm and encryption usingkeys deduced on the part of the medium 1 and main keys in the maincomputer of the institution BA. The person skilled in the art knowsthis.

The distinctive signs IM_(CF)[1 . . . h] of the electronic cheque dependon the mother or common base value SD_(CF) and must consequently becalculated by the financial institution BA. This can be done in advance.At the moment of loading a medium 1, the signs IM_(CF)[1 . . . h] can befetched from a data bank of the main computer.

It is absolutely essential to ensure that none of the distinctive signsIM_(CF)[1 . . . h] is used more than once and that the correspondingmother values SD_(CF) are stored in encrypted form.

The deducing, from the mother value SD_(CF) or from the base values S[1. . . k], of the intermediate values of zero level in FIG. 2 does notcome into the actual protocol for payment by electronic cheque. Hence,the choice of the irreversible function SOWF can be left to the issuingbank BA.

When the device 3 or terminal 4 (FIG. 6) is placed in communication withits own financial institution BB, it transmits to the latter the “audittrails” of the electronic cheque received, preferably comprising theidentification ID_(D) of the device 3. The financial institution BBsorts these audit trails and for example effects a clearance of theelectronic cheque with the financial institution BA of the medium 1. Forthis purpose, the financial institution BB transmits the said audittrail to the financial institution BA for verification of the paymenttransaction by electronic cheque, described hereinabove, and receives anacknowledgement of receipt therefrom.

As a variant, the medium 1 can be devised so as to allow so-calledincremental payments (or tick payments) in which case the medium 1 alsocontains in memory an additional amount or the abovementioned amountenvisaged for cheques, whilst a suitable device 3 withdraws smallsuccessive sums as in the case of a public telephone to be paid for witha suitable card. The expression small sum is herein understood to mean amuch smaller amount than that envisaged for an electronic cheque. Forthis purpose, the above protocol is tailored by appending to theabovementioned dynamic parameters CDP the following parameters:

the sum or suns corresponding to withdrawals, and

a base chaining value Z₀, to be used for the “withdrawal” part of thetailored protocol.

A chain of chaining values Z_(j) is determined by an irreversiblefunction applied to the following value Z_(j+1):Z _(j) =OWF(Z _(j+1)).

Upon a withdrawal, the medium 1 supplies values Z₁, Z₂, Z₃ correspondingto each small sum. The appropriate device 3 then preserves an audittrail of the last value Z_(j) and of its index j which were received onthe occasion of this payment.

A maximum number of withdrawals of small sums must be fixed in advance.For this purpose, provision may be made for an algorithm requiringlittle memory and calculational hardware.

The transaction protocol hereinabove may also be tailored so as toexecute a payment by electronic cheque in the inverse direction, hencefrom the device 3 or terminal 4 to the medium 1 or card 2. For thispurpose, the device 3 must contain an electronic cheque issued by itsfinancial institution BB and a type of security means containing secretelements of this cheque. The medium 1 can be programmed for its part soas not to accept payments by cheque other than from a device 3 to whichit has itself previously paid by cheque when, for example transacting apurchase of an object. Thus, a cancellation or a reimbursement of apurchase may be settled. A payment in the reverse direction does not inprinciple require authentication of the device 3, among other thingsupon reimbursement of a purchase, the purchaser being assumed to knowand trust the merchant.

Generally, so as not to complicate the medium 1, the latter will onlyretain the audit trail of this reverse-direction payment as is, with aview to a presentation of this cheque to the financial institution BAissuing the medium 1, during a subsequent reloading of the latter. Thisfinancial institution BA can however decide to add, directly afterpayment or solely at a time when it is communicating with the medium 1,the value of this reimbursement cheque to the amount recorded in themedium 1.

The protocol or method described hitherto does not provide for inverseauthentication of the device 3 in relation to the medium 1 and/or thefinancial institution BA of the latter.

Such reverse authentication can however be implemented using the sameguesstimation and response pair, providing for this purpose just onedistinctive sign IM_(CF). This can prove useful for example in the caseof payments via a communication network such as INTERNET.

In the protocol presented hitherto, the number of payments which may bemade with a single blank cheque template is h (number of distinctivesigns IM_(CF)[i] given by the institution BA and to be appended to acheque template so as to form a unique particular cheque).

According to a variant of the invention, this number of payments with asingle cheque template can be increased by using for example thecombination of FIG. 3. In this combination, each of the various valuesIM_(CF)[i] is combined, at a first level, by means of irreversiblefunctions OWHF each time with another value which can also be adistinctive sign IM_(CF)[i′]. The results V₁ and V₂ on the hand and V₃and V₄ on the other hand of each pair of applications of theirreversible function OWHF are combined by another application of theirreversible function OWHF so as to give two new results V₅ and V₆ to becombined by one or other applications of the irreversible function untila unique result O_IM_(CF) is obtained which is now used as deduceddistinctive sign in respect of the signature of cheques.

So as to make it possible, in the case of FIG. 3, for the device 3 toverify that the deduced distinctive sign O_IM_(CF) is actually obtainedfrom the authenticated distinctive signs IM_(CF)[i], the method cancomprise a transmission from the medium 1 each time of the seconddistinctive sign IM_(CF)[i] used in a first combination OWHF at thefirst level and, at each subsequent level, of the intermediate resultV₂, V₆ of the irreversible functions OWHF, which is used so as to becombined successively with the corresponding intermediate result V₁, V₅obtained on the basis of the second distinctive sign IM_(CF)[i], untilthe deduced distinctive sign O_IM_(CF) is obtained.

For the implementation of the method of the invention, there is provideda system composed at least of the medium 1 comprising for example atleast one integrated circuit known in the art, chosen so as to have datastorage means, calculation means, so as to compile in full or in partthe Table 5 of FIG. 2, and means of direct dialogue, “off-line” withrespect to a main computer of a financial institution or one formanaging payments by electronic means, with at least one device 3 whosemanner of operation is also described hereinabove.

With a view to the operation thereof, the device 3 comprises means ofdirect dialogue so as to talk to the medium 1, means of random orpseudo-random guesstimation, means of calculation of the elements citedhereinabove, means of comparison and of verification of miscellaneousdata, according to the description hereinabove, and means of storage ofat least the electronic cheque issued by the medium 1, if thecomparisons and verifications envisaged determine the authenticity ofthe said cheque.

In a first embodiment of the system (FIG. 1), the medium can be anintegrated circuit card 2 such as explained hereinabove and the device 3can be a terminal 4 which is able to read from and to write to the card2 and which can be connected, for example by telephonic network, to themain computer of the corresponding bank BB, at certain chosen moments,with a view to transferring thereto the cheques and related data so asto credit the authenticated amounts to a bank account of the recipientof the cheques, the holder of the device 3.

In another embodiment (FIG. 4) of the system of the invention, themedium 1 is also an integrated circuit card 2 but the device 3 comprisesa read and write terminal 4 for the card 2 and is furnished with meansfor transferring data received to detachable storage means of the actualterminal 4. The latter means may be an integrated circuit card 6 of thesame type as the card 2 and may be used so as for example to transportthe cheques and data to the bank BB.

It goes without saying that by the phraseology “at least” one element orone method step, the person skilled in the art understands, afterreading the explanation of this element or step, the way or ways andpossibilities for applying the repetition thereof.

It should be understood that the invention is in no way limited to theembodiments described and that many modifications may be made to thelatter without departing from the scope of the claims.

Thus, in yet another embodiment of the system of the invention, if thedevice 3 is remote from the issuer of the payment and/or in the case ofsteps of abovementioned reverse authentication of the device 3 by themedium 1, the latter can comprise, on the one hand, an abovementionedintegrated circuit card 2 and, on the other hand, a communicationelement 7 for dialogue between this card 2 and the device 3. This can bethe case in respect of “off-line” payments within the framework oftelecommunication networks of the INTERNET type when a third party mustbe able to make a remote payment so as to obtain, or to have access to,services or information without it being necessary for him to referdirectly to a financial institution or to an institution for managingpayments of this kind.

FIG. 6 shows by way of example a diagram of communication between thevarious means and financial institutions in a basic type ofconfiguration of the system of the invention. A card 2 is loaded with(templates of) electronic cheques and data in a terminal 8 of thecorresponding issuing bank BA. Thereafter, this card 2 is presented byits holder to a merchant equipped with a device 3 for the paymenttransactions. When he wishes, the merchant links his device 3 up to hisbank BB so as to transfer thereto accumulated electronic cheques inparticular. The bank BB submits for payment, to the bank BA, electroniccheques emanating therefrom (clearing of accounts, transfer of money).

The said banks BA and BB can be one and the same institution.

An institution 9 for managing electronic payments can form part of theassembly for managing, arbitrating and servicing the relevant hardware.A certificate authority 10, such as a national bank, must intervene inaccordance with the law in order to ensure that there is no illegalcreation of monetary values.

It is apparent that in the invention, according for example to thechoice of the number h of distinctive signs IM_(CF)[1 . . . h], a chequetemplate CF can give rise to only one electronic cheque or to several ofthem, each being different by virtue of the distinctive sign IM_(CF)[1 .. . h] definitively associated therewith.

For example also, the common base value SD_(CF) can be different at eachloading of the medium 1 and/or for each cheque template CF.

A medium 1 can receive, during loading, several cheque templates CF anda common value SD_(CF) for each.

In Table 5, the so-called base values S[1], . . . S[k] are representedas obtained directly after the irreversible function SOWF applied to thecommon value SD_(CF).

It goes without saying that in respect of any step of the methoddescribed hereinabove, the person skilled in the art can choose andcombine the necessary means for implementing the method with the aid ofthe system of the invention, the said means being known to him.

CODES AND DENOMINATIONS USED

-   AC_C Authentication code for the device 3-   AC_I Authentication code for the bank BA-   BA Bank issuing medium 1, financial institution issuing 1-   BB Bank of the device 3-   CA Certificate authority (see 10)-   CDP Cheque dynamic parameters-   CERT_(B) Public key certificate signed by the authority-   CF Cheque template-   DES Data encryption standard-   h Number of distinctive signs IM_(CF)[i] given by the institution BA-   i Index of the distinctive sign IM_(CF)[1 . . . h] used-   ID_(B) Identification of the bank BA-   ID_(C) Identification of medium 1/card 2-   ID_(D) Identification of the device-   ID_(CF) Identification of cheque template-   IM_(CF) Distinctive sign of a cheque-   IM_(CF)[1 . . . h] Series of h distinctive signs of cheques-   IM_(CF)[i] Distinctive sign of index i for a cheque-   j Index of the chaining values Z-   k Number of columns in the Table 5-   m Order of intermediate values-   MAC Message authentication code-   n Number of levels in the Table 5-   N Level or order of a value in a column of the Table 5-   O_AC_I Commitment value-   O_IM_(CF) Deduced distinctive sign-   OWF (One Way Function), irreversible function-   OWHF (One Way Hash Function), irreversible compression function-   PK_(B) Public key of BA-   PK_(CA) Public key of the certificate authority CA-   RSA (Rivest, Shamir and Adleman), algorithm from RSA Data Security    Inc., Redwood City, Calif., USA-   S[1], . . . S[k] Base values associated with a distinctive sign    IM_(CF)[i]-   SD_(CF) Common base value-   SIGN_(CF) Digital signature calculated by BA-   SK Calculated secret Key-   SOWF (Seed One Way Function), irreversible function for calculating    base values-   SP_(CF) Static parameters of cheque templates-   SVK Secret verification key of the bank BA-   Triple DES (Triple Data Encryption Standard), data encryption system    applying the DES algorithm three times-   Z Chaining values

LEGEND FOR THE FIGURES

-   1 Medium-   2 Payment card-   3 Device-   4 Payment terminal-   5 Table of FIG. 2-   6 Integrated circuit card of the device 3-   7 Communication element of the medium 1-   8 Terminal of the bank BA-   9 Institution for managing electronic payment-   10 Certificate authority (CA)

1. A method of payment by electronic cheque between a payment issuerfurnished with a medium that includes a blank electronic chequecertified by a financial institution (BA) and an overall amount useableat least partially in respect of the electronic cheque, and a recipientof the payment furnished with a device adapted to receive saidelectronic cheque of the above mentioned medium, said method comprisingthe steps of: calculating by the medium of a table, possibly partial,based on at least one set of k base values (S[1], . . . S[k]), byapplying successively to each of the base values n times an irreversiblefunction (OWF) with parameter(s) differing preferably with eachapplication and giving k intermediate values n times, wherein saidirreversible function is a function from which it is easy to compute theoutput for a given input, but it is computationally infeasible tocompute for a given output an input which maps to the given output;calculating by the medium of a secret key (SK) based on the last kintermediate values of order n and, on the basis of this key (SK),calculating a distinctive sign (IM_(CF)) of the cheque; transmitting bythe medium to the device the distinctive sign (IM_(CF)) calculated forthe electronic cheque; generating a financial commitment by the mediumin relation to the device, as regards the cheque by supplying to thedevice; a first result (O_AC_I) of the irreversible function (OWF),obtained by processing a value (AC_I), according to a formula O_AC_I=OWF(AC_I), the value AC_I being a product of a first algorithm (MAC)combining a secret verification key (SVK), originating from thefinancial institution (BA) issuing the electronic cheque, and dynamicparameter (CDP) of this cheque, according to a formula AC_I=MAC (SVK,CDP), and a second result (AC_C) of a second algorithm (MAC) combiningthe secret key (SK) calculated for the medium, the dynamic parameters(CDP) of this cheque and the first result (O_AC_I), according to aformula AC_C=MAC (SK, CDP ♦ O_AC_I), wherein ♦ signifies a chaining ofdata, generating by the device, at least one random/pseudorandomguesstimation of k numbers m of successive applications of theirreversible function (OWF) to the k base values (S[1], . . . S[k]), thek numbers m lying between zero, the sum of the k numbers m having to bea determined constant; transmitting by said device the result of theguesstimation to the medium; responding by the medium to saidguesstimation by the device with a response that includes the result(AC_I) of the first algorithm combining the secret verification key(SVK) and the dynamic parameters (CDP) of the cheque and, a set of the kintermediate values obtained during the successive applications of theirreversible function (OWF) to each of the k base values (S[1], . . .S[k]), the number or numbers of times m lying between zero and n;successively applying, by said device, the irreversible function (OWF)to each of the k intermediate values of order(s) m until the last kintermediate values of order n are obtained; calculating said secret key(SK), by said device, based on these last k intermediate values of ordern and, based on said secret key (SK), a calculation of the distinctivesign (IM_(CF)) of the cheque; comparing, by said device, the distinctivesign (IM_(CF)) thus calculated by the device and the distinctive sign(IM_(CF)) calculated by the medium and received from the latter; andverifying by calculation and comparison in the device of said secondresult (AC_C) of the second algorithm (MAC) calculated by the device andsaid second result received from the medium; verifying by calculationand comparison in the device of said first result (O_AC_I) of anirreversible function (OWF) calculated by the device and said firstresult received from the medium, wherein, if said comparisons andverifications each give equality, an acceptance and a storage by thedevice (3) of the electronic cheque issued by the medium, therebyallowing the device to recognize the authenticity of the medium and ofthe cheque being received.
 2. Method according to claim 1, wherein thesum of the k numbers m is a constant equal to n*k/2 if the product n*kis even or, if this product is odd, to (n*k−1)/2.
 3. Method according toclaim 1, comprising: a storage of the medium (1) of at least oneelectronic cheque template (CF) useable to make at least one aforesaidcheque, a transmission by the medium (1) to the device (3) of: a seriesof h distinctive sign (IM_(CF)[1 . . . h]) of a cheque, each associatedwith a distinct set of k base values (S [1], . . . S [k]), contained inthe medium (1), an index (i), lying between 1 and h, for designating aparticular distinctive sign (IM_(CF)[i]) from among the h aforementioneddistinctive signs, a digital signature (SIGN_(CF)) produced by theissuing financial institution (BA) so as to guarantee the saiddistinctive signs (IM_(CF)[1 . . . h]), and a use by the device (3), forthe said comparison, of the particular distinctive sign (IM_(CF)[i])determined by the index (i) in the guise of distinctive sign (IM_(CF))received from the medium (1), and a verification by the device (3) forthe said digital signature (SIGN_(CF)) by means of a public key (PK_(B))known to the device (3).
 4. Method according to claim 1, whichcomprises, in respect of the transaction, a transmission by the medium(1) to the device (3) of non-secret data which may be the identification(ID_(B)) of the financial institution (BA) which certifies theelectronic cheque and, as appropriate, the public key (PK_(B)) of theissuing financial institution (BA) and a certificate (CERT_(B)) of thispublic key (PK_(B)) issued by a certificate authority (CA), and whereinthe device (3) verifies in this case the authenticity of the saidcertificate (CERT_(B)) by means of another public key (PK_(CA)), knownto the device (3), of the certificate authority (CA).
 5. Methodaccording to claim 1, wherein the medium (1) can be reloaded as regardsits overall amount and/or its number (i) of electronic cheques in thecourse of a link with the abovementioned financial institution (BA) orone of its delegates.
 6. Method according to claim 1, comprising, forthe calculation of the table (5) by the medium (1), a mother base value(SDCF) common to each column (1 . . . k) of the table (5), and anapplication to this mother base value of at least one irreversiblefunction (SOWF) preferably with different parameter(s) for each column(1 . . . k).
 7. Method according to claim 5, wherein in the course ofreloading of the medium (1), the medium is furthermore supplied with anidentification (ID_(CF)) of cheque templates, updated abovementionedstatic parameters (SP_(CF)), a series of h distinctive signs (IM_(CF)[1. . . h]), an abovementioned digital signature (SIGN_(CF)) and adetermined number of base values ((S[1], . . . S[k]), or, asappropriate, of at least one aforesaid common base value (SD_(CF)). 8.Method according to claim 1, wherein the device (3) records, during atransaction, the result (AC_I) of the first algorithm and/or, asappropriate, an identification (ID_(B)) of the aforesaid financialinstitution (BA) and/or an identification (ID_(CF)) of the template ofthe electronic cheque received and/or the identification (ID_(C)) of themedium (1).
 9. Method according to claim 1, wherein in respect ofincremental payments of the kind by telephone card, the dynamicparameters (CDP) of the cheques moreover comprise the amount or thesequence of amounts corresponding to the authorized incrementalpayments, a base chaining value (Z_(O)), a chaining of successive values(Z_(j)) which each stem successively from the application of anirreversible function to the immediately following value (Z_(j+1),), andwherein after having performed with the hereinabove device (3) aprotocol for payment by electronic cheque, the medium (1) can perform anincremental payment by supplying the receiving device (3) withsuccessive chaining values (Z₁, Z₂, Z₃, . . . ), the device (3)preserving a record of the last value (Z_(j)) received and of thecorresponding index (j).
 10. Method according to claim 1, whichcomprises a cancellation of a transaction of payment by cheque from themedium (1) to the device (3).
 11. method according to claim 10, whichcomprises in respect of the aforementioned cancellation, a storage, inthe device (3), of at least one electronic cheque template, issued bythe financial institution (BB) of the device (3), and of secret datarelating to this template, a programming of the medium (1) in such a waythat the latter cannot receive a payment by cheque other than from thedevice (3) to which a transaction was previously paid by means of thesaid medium (1) the latter storing the cancellation payment cheque untilthe medium (1) is presented to its corresponding financial institution(BA), in particular for a reloading of the medium (1).
 12. Methodaccording to claim 1, which furthermore comprises steps of inverseauthentication via which the medium (1) can for its part recognize theauthenticity of the device (3).
 13. Method according to claim 12,wherein the steps of inverse authentication are of the same kind asthose for the authentication of the medium (1), whilst requiring, asappropriate, only a single distinctive sign (IM_(CF)) of electroniccheque template.
 14. Method according to claim 12, which comprises, forat least some of the inverse authentication steps, the use of an element(7) for communication between the medium (1) and the device (3), thiscommunication element (7) preferably being held by the payment issuerwhich holds the said medium (1).
 15. Method according to claim 1, whichcomprises, in the medium (1), a combination of each of the variousdistinctive signs (IM_(CF)[i]), at a first level, by means ofirreversible functions (OWHF) each time with another value or anotherdistinctive sign ((IM_(CF)[i′]), whereas the results (V₁, V₂, V₃, V₄) ofeach pair of application of the irreversible function (OWHF) arecombined at a second level via another application of the irreversiblefunction (OWHF) so as to give new results (V₅, V₆) to be combined at athird level via one or another applications of the irreversible function(OWHF) and so on and so forth until a single result (O_IM_(CF)) isobtained, and which is signed as deduced distinctive sign, by thedigital signature (SIGN_(CF)) so as to sign the cheque issued. 16.Method according to claim 15, which comprises, for a verification by thedevice (3) of the deduced distinctive sign (O_IM_(CF)), a transmissionfrom the medium (1) each time of the second distinctive sign(IM_(CF)[i]) used in a first combination (OWHF) at the first level and,at each succeeding level, of the intermediate result (V₂, V₆) of theirreversible functions (OWHF), which is used so as to be combinedsuccessively with the corresponding intermediate result (V₁, V₅)obtained on the basis of the second distinctive sign (IM_(CF)[i]), untilthe deduce distinctive sign (O_IM_(CF)) is obtained.
 17. Payment systemfor implementing the method according to claim 1, comprising at leastone medium (1) furnished with means for storing at least a blankelectronic cheque certified by a financial institution (BA), an overallamount useable at least partially in respect of the electronic cheque,at least one distinctive sign (IM_(CF)) for this cheque, which may beincluded in the latter, at least one set of k base value (S[11, . . .S[k]) which may be derived from a single mother value (SD_(CF)), asecret verification key (SVK) originating from the financial institution(BA) issuing the electronic cheque, and dynamic parameters (CDP) of thesaid cheque, with means of calculation of a table (5) on the basis ofthe k base values (S[1], . . . S[k]), by applying successively to eachof them n times an irreversible function (OWF) with parameter(s)differing preferably with each application and giving k intermediatevalues n times, wherein said irreversible function is a function fromwhich it is easy to compute the output for a give input, but it iscomputationally infeasible to compute for a given output an input whichmaps to the given output, of a secret key (SK) on the basis of the lastk intermediate values of order n and, on the basis of this key (SK), ofa distinctive sign (IM_(CF)) of the cheque, of a first result (O_AC_I)of an irreversible function (OWF), obtained by processing a value(AC_I), according to a formula O_AC_I=OWF (AC_I), said value (AC_I)being itself the result of a first algorithm (MAC) combining the secretverification key (SVK) and dynamic parameters (CDP) of the cheque,according to a formula AC_I=MAC (SVK, CDP), and of a second result (ACC)of a second algorithm (MAC) combining the secret key (SK) calculated forthe medium (1), the dynamic parameters (CDP) of this cheque and thefirst result (O_AC_I) hereinabove, according to a formula AC_C=MAC (SK,CDP ♦ O AC I) wherein ♦ signifies a chaining of data, and with means ofdirect dialogue with at least one device (3) adapted to receive at leastone aforesaid electronic cheque from the abovementioned medium (1) andamong other things the distinctive sign (IM_(CF)) of the said cheque,the device (3) being equipped with means of random/pseudo-randomguesstimation of k number m of successive applications of theirreversible function (OWF) to the k base values (S[1], . . . S[k]), thek number m lying between zero and n and possibly being different fromone another, the sum of the k numbers m having to be a determinedconstant, with means of direct dialogue corresponding to those of themedium (1), so as among other things to carry out a transmission of theresult of the guesstimation to the medium (1), with means of calculationsuccessively applying the irreversible function (OWF) to each of the kintermediate values of order m until the last k intermediate values oforder n are obtained, of the said secret key (SK) on the basis of theselast k intermediate values of order n and, on the basis of this secretkey (SK), a calculation of the distinctive sign (IM_(CF)) of the cheque,means of comparison of the distinctive sign (IM_(CF)) thus calculatedand of the distinctive sign (IM_(CF)) calculated by the medium (1) andreceived from the latter, means of verification by calculation andcomparison of the said second result (AC_C) of the second algorithm(MAC) and of that received from the medium (1), means of verification bycalculation and comparison of the said result (O_AC_I) of anirreversible function (OWF) and of that received from the medium (1)and, means of storage of at least the electronic cheque issued by themedium (1), if the said comparison and verifications each give equality.18. System according to claim 17, wherein the means of storage of themedium (1) are devised so as to store at least one electronic chequetemplate (CF) useable to make at least one aforesaid cheque, the meansof dialogue of the medium (1) are devised so as to transmit to thedevice (3) a series of h distinctive sign (IM_(CF)[1 . . . h]) of acheque, each associated with a distinct set of k base values (S[1], . .. S[k]), contained in the medium (1), an index (i), lying between 1 andh, for designating a particular distinctive sign (IM_(CF)[i]) from amongthe h aforementioned distinctive signs, a digital signature (SIGN_(CF))produced by the issuing financial institution (BA) so as to guaranteethe said distinctive signs (IM_(CF)[1 . . . h]), and the device (3) isdevised so as to use, for the said comparison, the particulardistinctive sign (IM_(CF)[i]) determined by the index, (i) in the guiseof distinctive sign (IM_(CF)) received from the medium (1), and thedevice (3) comprises means of calculation devised so as to verify thesaid digital signature (SIGN_(CF)) by means of a public key (PK_(B))known to the device (3).
 19. System according to claim 18, wherein themeans of dialogue of the medium (1) are devised, so as to transmit tothe device (3) non-secret data which may be the identification (ID_(B))of the financial institution (BA) which certifies the electronic chequeand, as appropriate, the public key (PK_(B)) of the issuing financialinstitution (BA) and a certificate (CERT_(B)) of this public key(PK_(B)) issued by a certificate authority (CA), and the device isdevised so as to verify the authenticity of the said certificate(CERT_(B)) by means of another public key (PK_(CA)), known to the device(3), of the certificate authority (CA).
 20. System according to claim17, comprising as medium (1) a payment card (2) of the integratedcircuit type and as device (3) a payment terminal (4) with reading andwriting for a cart (2) of this type.
 21. System according to claim 20,comprising as medium (1) a payment card (2) of the integrated circuittype and as device (3) a payment terminal (4) with reading and writingfor a card (2) of this type and furnished with means of transferringdata received from the said card (2), and/or processed by the terminal(4), into storage means (6) detachable from the terminal (4) proper andin particular transportable to a financial institution (BB) so as toperform therein a transfer of the said data.
 22. System according toclaim 20, wherein, in particular in the case where the device (3) isremote from the issuer of the payment and/or in the case of steps ofinverse authentication of the device (3) by the medium (1), theabovementioned medium (1) is composed among other things, on the onehand, of the aforesaid integrated circuit card (2) and, on the otherhand, of a communication element (7), for dialogue between the card andthe said device (3).
 23. A method of offline payment by electronic checkbetween a payment issuer furnished with a medium comprising at least oneblank electronic check comprising a message authentication codealgorithm and a set of irreversible functions, wherein an irreversiblefunction is a function from which it is easy to compute the output for agiven input, but it is computationally infeasible to compute for a givenoutput an input which maps to the given output; and a recipient of thepayment furnished with an electronic check receiving device adapted toreceive said electronic check of said medium, said electronic checkreceiving device comprising said message authentication code algorithmand said set of irreversible functions, said method comprising the stepsof calculating by said medium a secret key and a distinctive sign ofsaid electronic check, said calculation based on the use of said messageauthentication code algorithm and application of said set ofirreversible functions; transmitting by said medium to the electroniccheck receiving device said distinctive sign; generating by said medium:a first authentication code, a financial commitment value, and a secondauthentication code; said second authentication code obtained byapplying said message authentication code algorithm to said financialcommitment value with said secret key; transmitting by said medium saidfinancial commitment value and said second authentication code to saidelectronic check receiving device; generating by said electronic checkreceiving device, in response to said financial commitment value, achallenge, said challenge based on the application of said set ofirreversible functions; transmitting by said electronic check receivingdevice said challenge to said medium; generating by said medium, inresponse to said challenge, a response based on the application of saidset of irreversible functions; transmitting by said medium said firstauthentication code and said response to said electronic check receivingdevice, in response to said challenge received from said electroniccheck receiving device; calculating, by said electronic check receivingdevice, said secret key of said electronic check and the distinctivesign of said electronic check by applying said set of irreversiblefunctions to said response; comparing, by said electronic checkreceiving device, the distinctive sign calculated by said electroniccheck receiving device and the distinctive sign received from saidmedium; verifying by calculation and comparison by said electronic checkreceiving device, said financial commitment value and said secondauthentication code, said verifying based on use of said secret key,wherein, if said comparison and verification each give equality, saidelectronic check issued by said medium is accepted and stored by saidelectronic check receiving device, thereby, allowing said electroniccheck receiving device to recognize the authenticity of the medium andof the electronic check being received.
 24. The method according toclaim 23, wherein said first authentication code is generated via saidmessage authentication code algorithm and based upon said secret key anddynamic parameters of said electronic check.
 25. The method according toclaim 23, wherein said financial commitment value is generated viaapplication of said set of irreversible functions and based upon saidfirst authentication code.
 26. The method according to claim 23, whereinsaid second authentication code is generated via said messageauthentication code algorithm and based upon said secret key, dynamicparameters of said electronic check, and said financial commitmentvalue.
 27. The method according to 23, wherein said set of irreversiblefunctions are chosen from the group consisting of: a first parametrizedirreversible function; a second parametrized irreversible function; and,an irreversible compression function.
 28. A system for offline paymentby electronic check, said system comprising an electronic check medium,said electronic check medium comprising an electronic check template; amessage authentication code algorithm; a set of irreversible functions,wherein an irreversible function is a function from which it is easy tocompute the output for a given input, but it is computationallyinfeasible to compute for a given output an input which maps to be givenoutput; a set of base values associated with distinctive signs; a secretkey; an identifier of said electronic check medium's bank; a firstpublic key of said electronic check medium's bank; and a first publickey certificate; an electronic check receiving device, said electroniccheck receiving device comprising said message authentication codealgorithm;—said set of irreversible functions; a second public key ofsaid electronic check receiving device's bank; and a second public keycertificate.
 29. The system according to claim 28 wherein said set ofirreversible functions is chosen from the group consisting of: a firstparametrized irreversible function; a second parametrized irreversiblefunction; and, an irreversible compression function.
 30. The systemaccording to claim 29 wherein said electronic check template comprises:(1) an identifier of said electronic check template, (2) an identifierof said electronic check medium, (3) static parameters, (4) a series ofdistinctive signs, and (5) a digital signature from said electroniccheck medium's bank.
 31. The system according to claim 30, wherein saidelectronic check medium transmits to electronic check receiving device(1) said electronic check template; (2) said identifier of saidelectronic check medium's bank; (3) said first public key of saidelectronic check medium's bank; (4) said first public key certificate;and (5) an index associated with said series of distinctive signs toindicate which distinctive sign to use.
 32. The system according toclaim 31, wherein said electronic check receiving device verifies (1)said first public key certificate, and (2) said digital signature fromsaid electronic check medium's bank.
 33. The system according to claim32, wherein said electronic check medium calculates a firstauthentication code via said message authentication code algorithm,based upon a secret verification key and dynamic parameters of saidelectronic check; a financial commitment value via application of saidset of irreversible functions, based upon said first authenticationcode; and a second authentication code via said message authenticationcode algorithm, based upon said secret key, said dynamic parameters ofsaid electronic check, and said financial commitment value, wherein saidelectronic check medium transmits said second authentication code andsaid financial commitment value to said electronic check receivingdevice.
 34. The system according to claim 33, wherein said electroniccheck receiving device calculates at least one challenge via applicationof said second set of irreversible functions for the purpose ofverifying said electronic check medium and transmits said challenge tosaid electronic check medium.
 35. The system according to claim 34,wherein said electronic check medium transmits a response and said firstauthentication code to said electronic check receiving device inresponse to said challenge received from said electronic check receivingdevice.
 36. The system according to claim 35, wherein said electroniccheck receiving device calculates a second distinctive sign viaapplication of said set of irreversible functions; verifies whether saidsecond distinctive sign corresponds with said distinctive sign based onsaid index received from said electronic check medium; and verifies saidfirst authentication code and said financial commitment value receivedfrom said electronic check medium, wherein, if the said verificationseach give equality, said electronic check issued by said electroniccheck medium is accepted and stored by said electronic check receivingdevice, thereby, allowing said electronic check receiving device torecognize the authenticity of said electronic check medium and of saidelectronic check being received.
 37. A system for offline payment byelectronic check, said system comprising an electronic check medium,said electronic check medium comprising an electronic check template; amessage authentication code algorithm; a set of irreversible functions,wherein an irreversible function is a function from which it easy tocompute the output for a given input, but it is computationallyinfeasible to compute for a given output an input which maps to thegiven output; a set of base values associated with distinctive signs; asecret key; an identifier of said electronic check medium's bank; afirst public key of said electronic check medium's bank; and a firstpublic key certificate.
 38. The system according to claim 37 whereinsaid set of irreversible functions is chosen from the group consistingof: a first parametrized irreversible function; a second parametrizedirreversible function; and, an irreversible compression function.
 39. Amethod of offline payment using an electronic check medium with a memoryand an integrated circuit residing thereon, comprising: communicating acommitment value calculated by the electronic check medium to a terminalconfigured to receive a payment from the electronic check medium, thecommitment value being calculated based on a first authentication codeand a secret key, wherein the first authentication code is calculatedbased on a payment amount and a secret verification key; communicatingto the electronic check medium a random/pseudo-random guesstimationdetermined by the terminal in response to receiving at least theverification code, the random/pseudo-random guesstimation beingconfigured to verify that the electronic check medium is authentic;communicating to the terminal a second authentication code determined bythe electronic check medium, the second authentication code being basedon the random/pseudo-random guesstimation; verifying the received secondauthentication by comparing the second authentication code with therandom/pseudo-random guesstimation; and accepting payment from theelectronic check medium in response to verifying the secondauthentication.
 40. The method of claim 39, further comprisingcalculating the first authentication code, wherein the secretverification key verifies the issuing bank.
 41. The method of claim 39,further comprising calculating the first authentication code, whereinthe first authentication code contains information specifying a maximumnumber of times that the electronic check medium may be used to makepayments therefrom.
 42. The method of claim 41 further comprising:calculating a number of times that payment has been made from theelectronic check medium; and permitting payment only when the electroniccheck medium has not been used for payment more times than the maximumnumber of times.
 43. The method according to claim 39 wherein receivingthe specification further comprises receiving an identification of aparty that is to receive payment.
 44. The method of claim 39, whereinthe payment amount corresponds to an amount to be received by theelectronic check medium from the terminal.
 45. The method of claim 39,further comprising generating an audit trail by the electronic checkmedium, the audit trail corresponding to the sum of previous paymentamounts plus the payment amount made to the terminal, such that apredefined maximum transaction amount associated with the electroniccheck medium is not exceeded.